Tinhat

Crime

Just as the internet has offered new avenues for law-abiding people, it's given new opportunities for criminals. They've been very happy to take them up. It's a wonderful world for wrong-doers.

The law lags behind technology, so a lot of negative web activity is not properly covered by legislation.

Police forces often lag too. They may not have the skills of facilities for enforcement.

Cyber-crime often crosses national boundaries, which makes it more difficult to tackle.

Individual victims may not be aware of the criminal possibilities or understand how to protect against them.

Large corporate victims may avoid reporting cyber-crime for commercial reasons.

The pickings are good, often in the millions.

There's usually no need for violence, so punishments are broadly lower.

Failed attempts usually attract no punishment at all.

Given this list of positives, it's not surprising that most new criminals and many established gangs have turned to cyber-crime. It's much safer than physical crime, far less likely to be punished, and doesn't have a particularly negative image.

Cyber-crime is massively under-reported. That's a bold statement as by definition we can't get accurate numbers on something that's not admitted. But we can certainly look at the psychology of reporting. Consider the point of view of a corporate victim, losing say a couple of million dollars to a thief hacking their network. Why would they bother to report the crime? It's bad for their image, there's very little chance of the money getting returned as it's likely to have finished up in a different country, and with some creative accounting the loss can probably be hidden. Plus there's a cost in all the aggravation of involving the police and lawyers. A real world crime is less damaging to the corporate image, there's more chance of the money being returned, and it's harder to hush up.

To hide a cyber-theft you only need the collusion of the network manager, one or two techies, the chief finance officer and somebody at the top. A mere handful of people.

We can also look at the technical side of hacking. What are the chances that a large corporation could be hacked? That's very easy to answer. Both the FBI and the US Department of Defense have been hacked. Unless we believe that corporations have better security than these two organisations, then we come to the conclusion that corporations must be hacked on a regular basis. There's also the small issue that if hackers dare attack two security organisation that have a fierce ability to fight back, they're hardly likely to worry about taking on weak businesses. The FBI and Department of Defense admitted their hacking early on and perhaps in a spirit of aggressive bravado – if you attack us we'll find you. Unfortunately this rather gave the game away about the ability of hackers.

Given the pros and cons of reporting cyber-crime it's surprising that any gets reported at all. If you look at corporate cyber-crime that does get reported you'll generally find it's got to a level where it can't be hidden, for example there are hundreds or thousands of customers involved, or the amount of money is so great that the impact can't be disguised. We do have to account for a bias in journalism – the big hits are the most widely reported – but start looking for smaller strikes that potentially could be hidden by the victim and you find very little.

So even though there are by definition no figures on under-reporting, we can be pretty sure there's a lot of it going on.